My current setup:
I wanted to use Windows App Infrastructure to read the logs, so I followed this documentation https://docs.splunk.com/Documentation/MSApp/1.4.2/MSInfra/ConfiguretheSplunkAppforWindowsInfrastruct...
I have installed all add-ons required on both Splunk Indexer and Domain Controller. The networking and firewall rules are all fine because I can receive "Active Directory" logs in the Indexer.
However, I cannot get any WinEventLog(Security, Application, System) eventhough I have enabled the monitoring in inputs.conf (\etc\deployment-apps\Splunk_TA_windows\local\inputs.conf)
This is how my inputs.conf looks like:
[WinEventLog://Application]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
[WinEventLog://Security]
disabled = 0
start_from = oldest
current_only = 1
evt_resolve_ad_obj = 1
checkpointInterval = 5
blacklist1 = EventCode="4662" Message="Object Type:(?!\s*groupPolicyContainer)"
blacklist2 = EventCode="566" Message="Object Type:(?!\s*groupPolicyContainer)"
index = wineventlog
renderXml=false
[WinEventLog://System]
disabled = 0
start_from = oldest
current_only = 1
checkpointInterval = 5
index = wineventlog
renderXml=false
Can anyone tell me the reason why I cannot get those logs to Indexer?
Thanks
Hi johant,
there are some checks to perform on your systema to find the problem:
./splunk cmd btool inputs list --debug > inputs.txt
if there are other wineventlogs configurations where WinEventLog://Security is disabledBye.
Giuseppe
How did you enable these logs. I'm failed to change disabled=0 for System and Applications. Even though I'm trying to perform it post stopping Splunkd but still receiving an error that file is opened somewhere.
Hi SumitPan,
I assumed you grab the logs using Universal Forwarder? If so, you have to make sure that you choose "custom installation" otherwise UF will sent all windows logs by default and I found that we cannot change that in the inputs.conf.
Regards,
Johan Tanadi
Did you choose restart your forwarder option after deployment when configuring server class on your deployment server? If you make any change to your input stanzas, you need to restart your splunk forwarder. Choose the option to restart the forwarder and again push your bundle.
Hi Hardik,
No i did not enabled that option, however I manually restart the UF and I stil cannot get the logs to my indexer.
Is it a best practice to automatically restart the forwarder everytime I make a deployment?
Thanks
It will depend on type of applications that you are pushing to forwarder. But to be on safer side you can keep this option selected.
Hi johant,
there are some checks to perform on your systema to find the problem:
./splunk cmd btool inputs list --debug > inputs.txt
if there are other wineventlogs configurations where WinEventLog://Security is disabledBye.
Giuseppe
Hi Giuseppe,
Thanks
sorry but maybe I was misunderstood: this command must be run on the forwarder not on indexer:
splunk cmd btool inputs list --debug > inputs.txt
Bye.
Giuseppe
Yes, I ran that on the forwarder and I still cannot find WinEventLog://Security.
It is all right now, I re-installed the forwarder in the windows machine and when i run those command I can see all inputs that I wanted.
Just an additional bit: at installation, Splunk Forwarder on Windows usually configures Wineventlog ingestion.
To avoid problems like the ones you have, I usually disable this ingestion and I install Splunk_TA_Windows, configured on my project needs, always using a Deployment Server.
Bye.
Giuseppe